Performing CyberOps Using Cisco Security Technologies (CBRCOR) — Question 69
An employee who often travels abroad logs in from a first-seen country during non-working hours. The SIEM tool generates an alert that the user is forwarding an increased amount of emails to an external mail domain and then logs out. The investigation concludes that the external domain belongs to a competitor. Which two behaviors triggered UEBA? (Choose two.)
Answer options
- A. domain belongs to a competitor
- B. log in during non-working hours
- C. email forwarding to an external domain
- D. log in from a first-seen country
- E. increased number of sent mails
Correct answer: B, D
Explanation
The correct answers are B and D because logging in during non-working hours and from a first-seen country are unusual behaviors that indicate potential security risks. While email forwarding to an external domain and the external domain's association with a competitor are concerning, they do not directly pertain to the UEBA triggers related to user authentication patterns.